SLS Beamline Networks and Data Storage

1
SLS Beamline Networksand Data Storage
2
Old Network Layout (last year)
PSI network
SLS Accelerator
Gate way
Beamlines
3
The Problem

• Common beamline network is not safe
• Badly programmed CA clients can flood the network
  with broadcasts
• Users may accidently write to records of other
  beamlines
• Viruses etc may spread over all beamlines
• Industrial users want their data safe and
  protected
• Separate beamline networks need safe
  communication
• Access to machine and other beamlines
• Access from outside (e.g. offices)
• Internet access from beamline
• Storage access

4
New Network Layout (now)
PSI network
Firewall Switch
SLS Accelerator
Gate way
Gate way
Beamline1
Beamline2
5
Channel Access Gateway Setup

• All gateways connect to central accelerator
  network
• Assumption Beamline to beamline traffic is low
• Central services in accelerator network (e.g.
  archiver)
• All gateways are bi-directional
• Full write access from accelerator
• Limited write access from beamlines to
  machine(We trust the accelerator but not the
  beamlines)
• No write access from beamline to beamline
• Take care to prevent loops
• Access from outside world is read-only

6
Beamline Network
PSI network
Firewall
Firewall blocks incoming traffic except ssh to
login gateway.
Beamline hutch
vmWare
Login gateway
IOC
Accelerator
CA gateway
IOC Bootserver
Compute node
Softioc
Compute node
Compute node
User Laptop
Compute node
Console
Fileserver
Fileserver
GPFS
Detector
7
Safety Measures

• Firewall allows ssh from outside only to login
  gateway
• Other machines with less strict security cannot
  compromise system
• Login gateway has list of trusted users (PAM)
• Beamline scientists
• Beamline supporters
• People doing on-call service
• No external beamline users
• Servers are located in server room, not at the
  beamline
• No physical access
• Better cooling
• Uninterruptible power supply

8
VmWare Server System

• HP blade system
• 16 blades per enclosure
• Dual core Opteron 2.4 GHz
• 2 GB RAM
• 2 network connections
• Accelerator
• 16 beamlines via VLAN
• VmWare for virtual machines
• 256 MB per virtual machine

9
Beamline Storage
2 x 4 Gbit/sec Fibre Channel
500 GB SATA
Up to 4 disk arrays per beamline

• Up to 30 TB netto
• 400 MB/sec from one host
• 600-700 MB/sec total

RAID 6
10
Data safety

• Double redundancy with RAID 6
• Individual LDAP accounts for users
• No access to data of other users
• Automated account generation
• No long term storage
• 30 TB is just enough for one month
• No backup
• Users take data home on constantly synchronized
  external hard disk (Firewire or USB)